Re: Linux 5.15.205

[gregkh@xxxxxxxxxxxxxxxxxxx]

On Fri, May 08, 2026 at 04:38:45PM +0200, Ben Hutchings wrote:
> On Fri, 2026-05-08 at 16:30 +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
> > On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
> > > On Fri, May 8, 2026 at 3:50 PM gregkh@xxxxxxxxxxxxxxxxxxx
> > > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > > > 
> > > > On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > > > > On Fri, May 8, 2026 at 2:44 PM gregkh@xxxxxxxxxxxxxxxxxxx
> > > > > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > > > > > 
> > > > > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > > > > > 
> > > > > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > > > > 
> > > > > > > Would this need to be:
> > > > > > > 
> > > > > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > > > > 
> > > > > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > > > > > 
> > > > > > Adding Ben who did the 5.10 backport so he can comment on this.
> > > > > > 
> > > > > > thanks,
> > > > > > 
> > > > > > greg k-h
> > > > > > 
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> > > > > 
> > > > > ```
> > > > > $ ./run.sh
> > > > > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > > > > 'sick::0:0:<pad>:/:/bin/bash'
> > > > > === Stage 2 — verify
> > > > > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > > > > === Stage 3 — su - sick (empty password via PAM nullok)
> > > > > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > > > > # uname -r
> > > > > 5.15.205
> > > > > ```
> > > > > 
> > > > 
> > > > Does the patch below fix this up?
> > > > 
> > > > thanks,
> > > > 
> > > > greg k-h
> > > > 
> > > > ------------------
> > > > 
> > > > 
> > > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > > > index 68509e1f89b5..5d8f8a5901bc 100644
> > > > --- a/net/ipv4/ip_output.c
> > > > +++ b/net/ipv4/ip_output.c
> > > > @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
> > > >                         goto error;
> > > >                 }
> > > > 
> > > > -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > 
> > > >                 if (skb->ip_summed == CHECKSUM_NONE) {
> > > >                         __wsum csum;
> > > 
> > > Yes, this works.
> > 
> > Wait, is this also needed in the 6.1.y backport as well?
> > 
> > Ben, I'm guessing you tested the 6.1.y backport, right?
> 
> Yes, but on 6.1 the PoC never succeeded for me even without the patch. 
> (On 5.10 and 6.12 it does.)  So unfortunately that testing could not
> show whether my attempted fix was correct.
> 
> Sorry for screwing this one up.

Not a problem, thanks for doing the backport at all!  I'll go do a new
6.1.y release now.

Releases for everyone!!!

thanks,

greg k-h